Client-side security key generation

US 10,567,171 B2
Filed: 06/30/2017
Issued: 02/18/2020
Est. Priority Date: 06/30/2016
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving an initial request to access an application server by an application executing on a client device, the application including a security component comprising security code that operates on at least one parameter value;

in response to the initial request, providing the application one or more parameter values comprising a first parameter from which the security component can generate a secret cryptographic key at the client device by executing the security code by processing the first parameter with other data available at the client device;

receiving a security key used to sign a signed request by the application to the application server, the security key comprising data associated with the signed request that is encrypted using the secret cryptographic key;

generating the secret cryptographic key independently of the client device;

decrypting the security key after independently generating the secret cryptographic key;

checking if the security key is valid by using the secret cryptographic key to decrypt the security key and, after decrypting, analyzing the security key to determine whether the security key contains data collected at the client device that does not match a pattern of data collected when the request is generated by malware executing on the client device;

in response to determining that the security key is valid, causing processing of the request by the application server;

wherein the method is performed by one or more processors.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques are provided for client-side security key generation. An initial request is received from an application executing on a client device. The application includes a security component includes security code. In response to the initial request, a key component is generated. The key component includes one or more parameters from which a valid security key can be generated at the client device by executing the security code. The key component is provided to the client device. A security key associated with a request from the client device to an application server is received. The security key is checked for validity. In response to determining that the security key is valid, processing of the request by the application server is caused.

15 Citations

18 Claims

1. A method comprising:
- receiving an initial request to access an application server by an application executing on a client device, the application including a security component comprising security code that operates on at least one parameter value;
  
  in response to the initial request, providing the application one or more parameter values comprising a first parameter from which the security component can generate a secret cryptographic key at the client device by executing the security code by processing the first parameter with other data available at the client device;
  
  receiving a security key used to sign a signed request by the application to the application server, the security key comprising data associated with the signed request that is encrypted using the secret cryptographic key;
  
  generating the secret cryptographic key independently of the client device;
  
  decrypting the security key after independently generating the secret cryptographic key;
  
  checking if the security key is valid by using the secret cryptographic key to decrypt the security key and, after decrypting, analyzing the security key to determine whether the security key contains data collected at the client device that does not match a pattern of data collected when the request is generated by malware executing on the client device;
  
  in response to determining that the security key is valid, causing processing of the request by the application server;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein the application is generated based on a software development kit (SDK) provided to a developer of the application, wherein the SDK includes features for incorporating the security component in the application.
  - 3. The method of claim 1:
    - wherein the one or more parameter values includes a second parameter;
      
      wherein providing the one or more parameter values to the device comprises providing the first parameter in a first message and providing the second parameter in a second message;
      
      wherein the secret cryptographic key is generated by the security component of the application by executing the security code by processing the first parameter and the second parameter with other data available at the client device.
  - 4. The method of claim 1, further comprising receiving the signed request from the client device, wherein the security key is received from the client device in conjunction with the request to the application server, wherein causing processing of the request by the application server comprises forwarding the signed request to the application server.
  - 5. The method of claim 1:
    - wherein the security key is received from the application server after the application server receives the signed request comprising the security key from the client device;
      
      wherein causing processing of the signed request by the application server comprises notifying the application server that the security key is valid;
      
      wherein the application server processes the signed request after being notified that the security key is valid.
  - 6. The method of claim 1,wherein checking if the security key is valid comprises using the secret cryptographic key to decrypt the security key and determining whether the security key contains valid data associated with the request.
  - 7. The method of claim 1, further comprising:
    - receiving a second security key used to sign a second signed request by the application to the application server, the second security key comprising data associated with the second signed request that is encrypted by the security component using the secret cryptographic key;
      
      checking if the second security key is valid by using the secret cryptographic key to decrypt the second security key and determining whether the second security key includes valid data associated with the second signed request;
      
      in response to determining that the second security key is valid, causing processing of the second request.
  - 15. The method of claim 6, wherein the valid data associated with the request includes at least one of time information, duration information, device motion information, and cursor movement information.
  - 16. The method of claim 6, wherein the valid data associated with the request is collected from one or more sensors coupled with the client device.
  - 17. The system of claim 6, wherein the valid data associated with the request includes at least one of time information, duration information, device motion information, and cursor movement information.
  - 18. The system of claim 6, wherein the valid data associated with the request is collected from one or more sensors coupled with the client device.

8. A computer system comprising:
- one or more hardware processors;
  
  a memory coupled to the one or more hardware processors and storing one or more instructions which, when executed by the one or more hardware processors, cause the one or more hardware processors to;
  
  receive an initial request to access an application server by from an application executing on a client device, the application including a security component comprising security code that operates on at least one parameter value;
  
  in response to the initial request, providing the application one or more parameter values comprising a first parameter from which the security component can generate a secret cryptographic key at the client device by executing the security code by processing the first parameter with other data available at the client device;
  
  receive a security key used to sign a signed request by the application to the application server, the security key comprising data associated with the signed request that is encrypted using the secret cryptographic key;
  
  check if the security key is valid by using the secret cryptographic key to decrypt the security key and, after decrypting, analyzing the security key to determine whether the security key contains data collected at the client device that does not match a pattern of data collected when the request is generated by malware executing on the client device;
  
  in response to determining that the security key is valid, cause processing of the request by the application server.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The computer system of claim 8, wherein the application is generated based on a software development kit (SDK) provided to a developer of the application, wherein the SDK includes features for incorporating the security component in the application.
  - 10. The computer system of claim 8:
    - wherein the one or more parameter values includes a second parameter;
      
      wherein providing the one or more parameter values to the device comprises providing, first parameter in a first message and providing, the second parameter in a second message;
      
      wherein the secret cryptographic key is generated by the security component of the application by executing the security code by processing the first parameter and the second parameter with other data available at the client device.
  - 11. The computer system of claim 8, further comprising receiving the signed request from the client device, wherein the security key is received from the client device in conjunction with the request to the application server, wherein causing processing of the request by the application server comprises forwarding the signed request to the application server.
  - 12. The computer system of claim 8:
    - wherein the security key is received from the application server after the application server receives the signed request comprising the security key from the client device;
      
      wherein causing processing of the signed request by the application server comprises notifying the application server that the security key is valid;
      
      wherein the application server processes the signed request being notified that the security key is valid.
  - 13. The computer system of claim 8:
    - wherein checking if the security key is valid comprises using the secret cryptographic key to decrypt the security key and determining whether the security key contains valid data associated with the request.
  - 14. The computer system of claim 8, wherein the one or more instructions, when executed by the one or more hardware processors, cause the one or more hardware processors to:
    - receive a second security key used to sign a second signed request by the application to the application server, the second security key comprising data associated with the second signed request that is encrypted by the security component using the secret cryptographic key check if the second security key is valid by using the secret cryptographic key to decrypt the second security key and determine whether the second security key includes valid data associated with the second signed request;
      
      in response to determining that the second security key is valid, cause processing of the second request.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Shape Security Inc. (F5 Incorporated)
Original Assignee
Shape Security Inc. (F5 Incorporated)
Inventors
Schroeder, Carl, Hidayat, Ariya, Rentachintala, Chandrasekhar, Chiu, Ricky Y.
Primary Examiner(s)
Dolly, Kendall
Assistant Examiner(s)
Fields, Courtney D

Application Number

US15/640,399
Publication Number

US 20180006814A1
Time in Patent Office

963 Days
Field of Search
US Class Current
CPC Class Codes

H04L 9/06   the encryption apparatus us...

H04L 9/0819   Key transport or distributi...

H04L 9/0838   Key agreement, i.e. key est...

H04L 9/0877   using additional device, e....

H04L 9/321   involving a third party or ...

H04L 9/3234   involving additional secure...

Client-side security key generation

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

15 Citations

18 Claims

Specification

Use Cases

Quick Links

Others

Client-side security key generation

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

15 Citations

18 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others